Privacy Policy

Data controller

The data controller responsible for your personal data is Vector Costa Rica. For requests regarding your data (access, correction, deletion, portability, or restriction), contact the administrator who created your account or reach out to the Flux team at Vector Costa Rica.

Data we collect

We collect and store only what is necessary to provide the service:

• Account data: email address, and a one-way hashed password (we never store your plain-text password).
• Financial and usage data you enter: ledger names, income, expenses (bills), balances (sources and buckets), settings (e.g. payday, cadence), transfer history, and audit log entries (e.g. "mission added").
• Technical: session identifier stored in an HTTP-only cookie for authentication; password-reset tokens (hashed, short-lived) when you request a password reset.

Sensitive fields (account numbers, account labels, bill names and descriptions) are encrypted at rest using AES-256-GCM.

Legal basis

We process your data (i) to perform our contract with you (providing the Flux service), (ii) where necessary for our legitimate interests (security, fraud prevention, service improvement), and (iii) where required by law. We do not rely on consent for core service processing.

How we use your data

We store your data solely to provide the Application's functionality. Your data is used exclusively to: operate and maintain your account; provide calculations (e.g. spendable today, health index, transfer manifest); store and sync your ledgers and preferences; send you transactional emails (e.g. password reset) when you request them; and enforce security (e.g. rate limiting). We will never access, sell, rent, or share your data with third parties for marketing, advertising, or any other purpose. Your data belongs to you and is never used for any purpose other than providing the service you requested.

Cookies and similar technologies

We use only strictly necessary cookies: one session cookie (e.g. "lv_fin.sid") that stores your session identifier so you remain logged in. It is HTTP-only, secure in production (HTTPS), has a same-site policy, and a maximum lifetime of seven days. We do not use tracking, advertising, or analytics cookies.

Third-party services

We may use a trusted email provider (e.g. Resend) solely to send transactional emails (such as password-reset links) that you request. That provider processes the minimum data needed (e.g. your email address and the reset link) and is bound by their own privacy and data-processing terms. We do not share your financial data with third parties for marketing or advertising.

Retention and deletion

Session data is retained for up to seven days of inactivity. Password-reset tokens expire within one hour and are deleted after use. Your account and associated financial data are retained only as long as your account exists. When you request account deletion (available now through an administrator, and in the future directly in the Application), we immediately and permanently remove your user record and ALL associated data including ledgers, bills, balances, settings, transfers, audit logs, and password-reset tokens. We do not retain any of your data after account deletion.

Your rights

Depending on your jurisdiction, you may have the right to: access your personal data; request correction of inaccurate data; request erasure ("right to be forgotten"); request a copy of your data in a portable format (we support CSV export of transfer data from within the app; for full data export or deletion, contact your administrator or us); object to or restrict certain processing; and lodge a complaint with a supervisory authority. To exercise these rights, contact the administrator who created your account or the Flux team at Vector Costa Rica. We will respond within a reasonable time and in accordance with applicable law.

Minors

Flux is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. Accounts are created only by administrators; if you believe a minor's data has been submitted, contact us so we can delete it.

International transfer

Your data may be stored and processed on servers located in one or more countries. If you are in the European Economic Area or another jurisdiction with transfer restrictions, we ensure appropriate safeguards (e.g. standard contractual clauses or adequacy decisions) where required by law.

Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will be revised when we do. Continued use of Flux after changes constitutes acceptance of the updated policy. For material changes, we may notify you via the app or email where feasible.

Contact

For privacy-related requests or questions, contact the administrator who created your account or the Flux team at Vector Costa Rica.